Secure method and system for handling and distributing digital media

ABSTRACT

A great deal of intellectual property is currently handled digitally, in the from of audible, visual, or audio-visual files or data streams. With today&#39;s powerful electronic equipment and communication networks such as the internet, this digital content can be reproduced flawlessly and distributed without control. While attemps have been made to protect such digital content, none of the existing protection techniques have been successful. The invention provides a system and method of protecting digital content by integrating the digital content with an executable software package such as a digital media player, executing some sort of protection mechanism (such as password, watermark or encryption protection), and then encoding the software into a tamper-resistant form. In this way, the digital content can be used by initiating the executable software it was encoded with, but the content itself cannot be accessed, nor can the protection mechanism be cracked.

RELATED APPLICATIONS

This application is a National Stage Application of PCT/CA02/01170,based on a prior Canadian Application No. 2,354,470 having an earliestpriority date of Jul. 30, 2001, the entirety of which are incorporatedherein by reference.

FIELD OF THE INVENTION

The present invention relates generally to computer software andcommunication, and more specifically, to a method and system whichallows digital media to be securely handled and distributed.

BACKGROUND OF THE INVENTION

Much valuable intellectual property takes audible, visual, oraudio-visual forms, and can be transported electronically as digitalfiles or digital streams. Such highvalue information, representable as adigital file or a digital stream, is referred to herein as content. Suchcontent includes books (transmissible forms for print media), popularsongs, both in audible form and in audio-visual (‘rock video’) forms,movies, sports broadcasts, and news in a variety of forms includingtext, audio, or audio-visual. Such digital content is well structuredfor presentation to end users, however, it is poorly structured forenforcement of ownership rights.

Digital devices and communication networks are now almost pervasive inindustrialized nations. Because these systems are digital, the storage,transfer and reproduction of data can be performed flawlessly; eachsuccessive copy of a digital file may be made precisely the same as theoriginal. This ability to copy and transfer digital data with virtuallyno loss in quality is having a great impact on many digital rightsholders, including music, movie and software producers.

Many techniques for protecting the intellectual property rights of thesedigital content and software producers have been proposed but have hadlittle success.

Currently, the protection of this intellectual property is provided bymeans which separate the protection from the content. For example, ifthe content is protected by encryption, it cannot be used withoutdecryption, and the device or program which performs the decryption isseparate from the file or stream containing the encrypted content.

This model does have an advantage in that a media player can bedistributed once and then can handle various forms of content. However,content files are now becoming sufficiently large that the resourcesavings from using a single, universal player, is becoming less and lesssignificant. A two-minute movie trailer, for example, may require 4 MB(megabytes, or millions of bytes) of data, while a simple MPEG (motionpicture experts group) player may only require 80 KB (kilobytes); 2% ofthe size of the data file. As well, universal media players have anumber of weaknesses as noted below.

First, the media player, since it covers much content, is re-used agreat deal. If the protections in the media player are ever compromised,all content played via that media player is exposed. That is, when themedia player is separate from the content, it is vulnerable to classcracks: cracking the media player effectively cracks the protection forall content that it can play.

Some audio players, for example, will allow the user to play AVI files(a common format for digital audio files), but because a certain flaghas been set in the AVI file, will not allow it to be copied or stored.If the audio player can be modified so that it can no longer detect thisflag, then the audio player will allow all AVI files to be copied orstored without restriction.

Also, in practice, the separation of the protection measures from theprotected content has meant that the protection is not provided by thecontent owner. For example, the National Basketball Association (NBA)does not own the media via which NBA games are broadcast or web-cast,and does not provide the hardware or software used to protect thiscontent. Even content owners such as Warner Brothers do not typicallyown the means whereby the presentation of their content is protectedwhen displayed on a personal computer (PC) or transmitted via a set-topbox on a television set. Hence, the separation requires that the contentowner trust intermediaries in order to be paid for providing it.

Digital marking may be used to provide legally enforceable copyrightprotection.

The two most common digital marking techniques are: 1. watermarking; theembedding of a hidden copyright message in a data file; and 2.fingerprinting; the embedding of a hidden identification number such asa serial number in a data file. (see, for example, Protecting OwnershipRights ThroughDigital Watermarking, H. Berghel and L. O'Gorman, 1996,IEEE Computer 29: 7, pp. 101-103, and Protecting Digital Media Content,Nasir Memon and Ping Wah Wong, 1998, Communications of the ACM 41: 7,pp. 34-43). Additional marking techniques are known in the art.

However, the nature of digital media makes it so difficult to provideeffective digital marking that some consider it impossible to provide anindelible digital mark (i.e., one which must be preserved if the contentis substantially preserved). Memon et al provide commentary on this, asdo Fabien A. P. Petitcolas, Ross J. Anderson, and Markus G. Kuhn inAttacks on Copyright Marking Systems” 1998, 2nd Workshop on InformationHiding, LNCS vol. 1525 (isbn 3-540-65386-4), pp. 218-238. In this case,the separation of the protection (legal enforcement) from the would-beprotection (the watermark) is not the problem: rather, the easy erasureof the mark is.

Digital marking, were it truly feasible, would provide an alternativeprotection model, based on legal enforcement (as with the currentcopyright for printed matter).

However, it is currently trapped between two incompatible needs (seeMemon et al, Bender et al, or W. Bender, D. Gruhl, N. Morimoto, and A.Lu. 1996. Techniques for data hiding. IBM Systems Journal 35: 3-4, pp.313-336, for example). A digital mark is a steganographic embedding of acopyright message or an identification code in a digital informationstream (such as a video or audio stream). Its concealment from theattacker is required so that it cannot be removed trivially. Hence, itmust affect those aspects of the data stream which are unimportant tothe content as perceived by the human viewer or listener. One suchtechnique is to store a digital mark in the least significant bits ofdata points which are not critical to the user's enjoyment of the datafile.

However, an attacker, knowing that the digital mark is embedded in such‘perceptually irrelevant ’ information, can simply scramble all suchperceptually unimportant aspects of the data stream or data file,thereby either erasing the mark or rendering it sufficiently ambiguousthat it becomes useless.

That is, the very nature of digital media-the digitization of aperceptually imprecise analog signal=militates against the feasibilityof indelible digital marking in such media files or streams. While thisproblem may well be solved in the long run, in the current state of theart, it remains an unsolved problem (even if it were solved, it wouldstill be safer to deploy it in concert with the instant invention, inorder to increase the protection of the digital content).

There is therefore a need for a method and system of handling anddistributing digital media in a manner which is secure against attack.This method and system should preferably reduce the content owner's costof content presentation to consumers, and to change the nature of theprotected entity so that effective digital watermarking is feasible.

SUMMARY OF THE INVENTION

It is therefore an object of the invention to provide a novel method andsystem of access control which obviates or mitigates at least one of thedisadvantages of the prior art.

The instant invention addresses the above needs by combining theinformational and protective aspects of digital content, whether infiles or in transmitted streams, into a single entity which containsboth an instance of digital content and the protection needed for suchcontent.

In other words, the invention provides means whereby the protectivemachinery for the content (much of which is executable) and the digitalcontent itself (which is usually not executable per se) can be combined,reducing the risk of piracy and reducing the cost of players whichprovide the content to consumers. It also changes the nature of what isprotected so that indelible digital watermarking becomes feasible in thepresent, instead of at some unknown future date. Finally, it permitsprotection to be provided individually for different instances of activecontent, preventing the exposure of a great deal of content via a classcrack on the player.

We call such a combination, containing:

-   1. enforced behaviour,-   2. content protection,-   3. a form suitable for digital watermarking, and-   4. protected digital content, active content, and its use in    connection with appropriate media, secure digital media.

According to the preferred embodiment of the invention, active contentis in the form of tamper-resistant software (TRS) which either containsor accesses a large volume of information (the digital content).

Active content has three highly desirable characteristics: 1. protectioncan be ab initio, that is, the content can be released to anyintermediary distributor in an already-protected form; 2. since theprotection is not separable from the content, there is no fear of classcracks. Each new piece of content requires a separate crack of theseparate instance of active content in which it is embedded; and 3. thefact that active content is essentially a program containing or emittinga large digital information stream, rather than the digital informationstream itself, permits effectively indelible digital marking. That is,it permits the application of a digital mark which is prohibitivelyeffortful for an attacker to remove.

One aspect of the invention is broadly defined as a method of protectingdigital content comprising the steps of: integrating a digital mediaplayer with a set of data content; effecting a protection mechanism; andencoding the protected, integrated digital media player and datacontent, to tamper-resistant form; thereby securing the data content inan executable file, and payable.

Another aspect of the invention is defined as an electronic devicecomprising: means for integrating a digital media player with a set ofdata content; means for effecting a protection mechanism; and means forencoding the protected, integrated digital media player and datacontent, to tamper-resistant form.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of the invention will become more apparent fromthe following description in which reference is made to the appendeddrawings in which:

FIG. 1 presents a flow chart of a general algorithm for implementationof the invention;

FIG. 2 presents an exemplary computer system in which the invention maybe embodied;

FIG. 3 presents a flow chart of a method for performing control-flowencoding in an embodiment of the invention;

FIG. 4 presents a flow chart of a method for performing white-boxencoding in an embodiment of the invention; and

FIG. 5 presents a flow chart of an exemplary method of the invention.

DESCRIPTION OF THE INVENTION

According to the invention, digital content which is to be protected isincorporated into an executable program. This program, we call activecontent, since it is an executable wrapping for some data entity.

By a ‘program’, we mean an executable entity, including its data. Thedata, or parts of the data, may be separate from the program proper.However, the program and the data are designed to be used together,whether the data is in the form of a small amount of information whichcould fit easily into a computer's memory, or a larger amount whichcould be stored in a file on some mass medium such as a magnetic disk,drum, or CD ROM, or an input stream received over some form ofcommunications network over some period of time.

There is a spectrum of software protection which runs from ordinarysoftware through obfuscated software to TRS. Ordinary software is wideopen to attack: it neither conceals information nor degenerates intononsense when subjected to tampering. Obfuscated software has beenintentionally modified to conceal its information. However, unlike TRS,obfuscated software may be modified by tampering without degeneratinginto nonsense.

At the far end of the spectrum lies TRS.TRS is software which: 1.conceals its embedded secret information from an attacker; and 2.resists tampering, in the sense that modifying the code will, with highprobability, produce nonsensical behaviour.

That is, it is computationally very difficult to make a change to thesoftware which the attacker would consider useful. Making arbitrary,non-purposeful changes is, as with any stream of digital information,trivial. TRS protects software against effective, goaldirected changessuch as overcoming a protection mechanism.

As in the case of encryption, the protection provided by TRS isrelative, rather than absolute. TRS makes the job of the attacker highlyeffortful. The level of effort can be varied by varying the degree andvariety of software encoding used in converting the software to beprotected into TRS form. When an appropriately strong level of TRSprotection is used, this means, as in the case of encryption, that inpractice, the protective measures in TRS are prohibitively costly tobypass.

However, there is a profound difference between the encryption of amessage into ciphertext and the conversion of software into TRS:ciphertext is useful only when it is decrypted, whereas TRS is usefulwithout any change of form. That is, TRS is executable, just as normalsoftware is. The TRS version of a program does the same job as thenormal version of the program, but it is far less vulnerable to hackingattacks.

There are commercially available obfuscators for this purpose. Ourpreferred embodiment for active content, which maximizes the efficacy ofthe content protection, behavioural enforcement, and digital marking itprovides, is to convert the active content to TRS form described usingthe techniques hereinafter.

The broad methodology of the invention, which addresses the objectsoutlined above, is presented as a flow chart of FIG. 1. This figurepresents a method for securing media files which proceeds generally asfollows.

First, a media player is integrated with a data content file at step 20.As will become clear from the description which follows, the“integration” may take many forms. At one extreme, the data content maybe stored within the media player, the two entities becoming a singlefile. In other cases, the “integration” may simply consist of coding themedia player to point at a targeted data content file.

Also, while this example of the invention impies that the “mediaplayer”is an audio, visual or audio/visual player, clearly the invention is notso limited. The “media player” could also present still images such asAutocad drawings or email text, or any other content which might bepresented to the end user.

This step might be performed in response to a command line input,interaction with a GUI (graphic user interface), instruction fromanother application, or another technique as known in the art. In somecases this step may require the compilation and storage of high levelcomputer code as executable code, while in other cases the media playermay already be in an executable form. The invention is not limited bythe manner in which this is done.

Next, a protection mechanism is now effected on the integrated mediaplayer and data context, at step 22. There are a number of protectionmechanisms known in the art, including the following: 1. applying adigital mark to the data content; 2. encrypting the data content; or 3.requiring that the user enter a correct password before certainfunctionality is allowed.

As will be clear from the description which follows, other techniquescould also be used. Several are described in greater detail hereinafter.

In many cases, media players have one or more of the above alreadyintegrated with their software. Thus, it is simply a matter of effectingthe protection which is already there.

The integrated and protected mediaplayer/content file is then encodedusing tamper-resistant software (TRS) encoding techniques at step 24.Protecting the executable program using TRS encoding techniques preventsattackers from analyzing the operation of the software, which preventsattackers from overcoming the protection mechanism effected at step 22,or extracting any of the digital content contained in the executablecode into a freely usable form. A number of tamper resistant software(TRS) encoding techniques are known in the art.

Encoding software into a TRS form frustrates the attacks of hostileparties in at least the following ways: 1. it generates software whichis “obscure”; that is, software whose inner workings areincomprehensible; and 2. it generates software which is “chaotic” inthat a modification at any point will almost certainly produce anonsensical result.

The obscurity of TRS, and its chaotic response to tampering, are bothrelative rather than absolute. As in the case of the obscurity providedby cryptography, these properties are removable in principle: however,we can make the required effort for such removal expensive for theattacker. TRS techniques which are particularly effective in activecontent applications are described hereinafter.

The requirement for making this approach viable is that reversal of theTRS obscurity be prohibitively expensive for the attacker. Thanks to theprocessing power and memory capacity of computing devices availabletoday, the executable code can be cloaked with a high degree ofTRS-protection, yet still be executed quickly enough that it can be usedfor real time applications such as playing media files.

As will be described hereinafter, different portions of the executablecode can (and should) be protected using different TRS encodingtechniques. Tasks that need not be performed in real time, such aschecking a password, may be protected with very intensive TRS encoding;users will not generally be concerned about a five second delay whenattempting access, so very strong TRS protection may be applied to thisportion of the executable code. Also, the more computer resourcesrequired to run the access checking routine the harder an attack willbe: an attacker needs many runs for cracking whereas regular operationrequired just one run. In contrast, tasks that must be performed in realtime, such as the playing of content, may have to be protected with amore modest degree of TRS encoding.

While FIG. 1 implies that the step of tamper-resistant encoding (step24) must be done after steps 20 and 22, the invention is not sorestricted. In fact, the step of tamper-resistant encoding can beperformed after either step, or at any point within either step. Asnoted above, the TRS-encoding may be applied to different portions ofthe executable software code in different ways. Thus, the TRS-encodingsoftware may be implemented as a set of separate routines which areapplied to the targeted executable software in different ways, and atdifferent times.

Note that the usual procedure in preparing TRS, is to “throw away thekey” after the encoding is performed. That is, to destroy the encodinginformation, intermediate values and variables, used to perform the TRSencoding, after it has been completed. Thus, not even the owner canreverse engineer the encoded software.

The broad method of the invention thereby provides a number of majoradvantages over the prior art. To begin with, it enables digital mediato be securely handled and distributed the digital media being obscuredso it cannot be compromised by an attacker. With the separation ofprotection from content avoided, the owner of the intellectual propertycan provide ab initio protection for the property: it could leave thepremises of the owner already protected, reducing the owner's risk ofpiracy and its consequent financial loss.

The method of the invention also reduces the content owner's costs.Since part of the value of playing the content is the protection, itraises the value of the content at the expense of the content-playingsoftware. Fusing the protection with the content itself, rather thanrelying on the protective aspect of the player, reduces the complexityand therefore the cost, of the player which presents the content to theconsumer. The player could be a very low cost commodity indeed, reducingthe owner's cost in presenting the content to a consumer.

As well, with the invention, the content owner is no longer controlledby the supplier of the media player, as any media player may now beused. This provides content owners with a major business advantage overtheir previous position.

The preferred embodiments described hereinafter provide many furtheradvantages over the prior art.

PREFERRED EMBODIMENTS OF THE INVENTION

First, by means of background, it is noted that the method of theinvention may be applied on virtually any computer ormicroprocessor-based system. An exemplary system on which the inventionmay be implemented, is presented as a block diagram in FIG. 2. Thiscomputer system 30 includes a display 32, keyboard 34, computer 36 andexternal devices 38.

The computer 36 may contain one or more processors, microprocessors,digital signal processors or micro-controllers, such as a centralprocessing unit (CPU) 40. The CPU 40 performs arithmetic calculationsand control functions to execute software stored in an internal memory42, preferably random access memory (RAM) and/or read only memory (ROM),and possibly additional memory 44. The additional memory 44 may include,for example: mass memory storage, hard disk drives, floppy disk drives,magnetic tape drives, compact disk drives, program cartridges andcartridge interfaces such as those found in video game devices,removable memory chips such as EPROM or PROM, or similar storage mediaas known in the art. This additional memory 44 may be physicallyinternal to the computer 36, or external as shown in FIG. 2.

The computer system 30 may also include other similar means for allowingcomputer programs or other instructions to be loaded. Such means caninclude, for example, a communications interface 46 which allowssoftware and data to be transferred between the computer system 30 andexternal systems. Examples of communications interface 46 can include amodem, a wireless transceiver, or a network interface such as anEthernet card, a serial or parallel communications port.

Software and data transferred via communications interface 46 are in theform of signals which can be electronic, electromagnetic, optical orother signals capable of being received by communications interface 46.Multiple interfaces, of course, can be provided on a single computersystem 30.

Input and output to and from the computer 36 is administered by theinput/output (I/O) interface 48. This I/O interface 48 administerscontrol of the display 32, keyboard 34, external devices 38 and othersuch components of the computer system 30.

The invention is described in these terms for convenience purposes only.It would be clear to one skilled in the art that the invention may beapplied to other computer or control systems 30. Such systems wouldinclude all manner of appliances having computer or processor controlincluding telephones, cellular telephones, televisions, television settop units, point of sale computers, automatic banking machines, lap topcomputers, servers, personal digital assistants (PDAs) and automobiles.

Second, while exemplary embodiments described herein focus on particularapplications and digital rights management (DRM) techniques, the methodof the invention may be applied to any manner of handling anddistributing digital media.

Text documents, hardware simulation code, and voice message in avoice-over-IP environment, for example, could all be protected in thismanner.

The most common techniques presently used for securing digital mediaare: 1. digital marks and fingerprints. As described above, thisconsists of embedding a message in the data content which allows theowner to demonstrate that the content is theirs; 2. password protection,which only allows access to the content if the user can input a certainalphanumeric character string or electronic key; 3. device bonding,which only allows the digital media to run on a specific electronicdevice.

This is done by obtaining a machine fingerprint (such as a CPU number,NIC card number, Hard Drive volume name or number) that is hashed, andused as a key to encrypt the content or the integrated content andplayer; and 4. control flags, which limit the processing which can beperformed on a given data file via flags set within it. For example, itis common to find audio files on the World Wide Web which can bedownloaded and played, but not copied or stored. This is because themedia players recognize flags within the content, which indicate thatplaying is allowed, but copying and storage should not be allowed.

Bonding to the platform will almost be inherent in the invention becausea given media player will only run on a certain range of platforms. Thatis, if a data file is integrated with a media player that will only runon WindowsME, the user will not be able to export the integrated file toa device that is not Windows ME compatible.

Note that research and development in the area of DRM is ongoing, andthat advances are expected to occur continuously.

The suitability of a particular DRM technique for a particularapplication depends on many factors. The most important considerationsare: 1. performance: the likelihood of allowing access to an attacker,or denying access to a legitimate user; 2. demand on computingresources. Some systems, like password-based systems, have very littledemand on system resources. The addition code requires very littlestorage area, and the processing required to test an access attempt isnot very CPU intensive. At the other extreme, encryption-basedprotection is very CPU intensive; and 3. long term usefulness. Overtime, for example, users may forget the passwords that were used torestrict access to certain data files. Digital marking techniques do nothave this problem as they should last as long as the content does.

There are also other criteria which be significant in differentapplications.

Third, there are many TRS encoding techniques, some of which areproprietary, and some of which are known in the art. These techniquesmay generally be categorized as follows: 1. Cloaked data-flow concernsTRS implementation of ordinary computations on small pieces of data-thebuilding blocks of larger computations; 2. Cloaked control-flow concernsTRS implementation of software decision making and the structure ofexecution, which glues all larger computations together from smallerpieces; 3. Cloaked mass data concerns TRS implementation of conceptssuch as files, arrays, dynamic allocation, and linked structures withpotentialaliasing; and 4. White-box encoding concerns cryptographicencoding of functions and transforms for an environment in which thesoftware can be observed in complete detail without revealing internaldata, such as a secret key.

It is somewhat misleading to divide encoding techniques out in thismanner.

The above categories, while they are handled in different ways, aregenerally not handled in isolation. A significant degree of control-flowprotection is achieved using data-flow encoding techniques, for example.

The variables in the control-flow statement IF X=2*Pi*R THEN GO TO 100could be data-flow encoded by making the following substitutionsthroughout the program:X′=0.5X+3R′=R(2*Pi)Substituting these equalities into the control-flow statement aboveyields: IF 2X′−6=R′THEN GO TO 100. Thus, while only data-flow encodinghas been performed, the control-flow statement has been obfuscatedconsiderably.

We prefer that TRS be much more than simply obscure. It should alsoresist tampering. That is, it should preferably be aggressively fragileunder tampering, so that attempts to change its functionality result,not in the desired change, but in useless pieces of nonsense code.(Avoiding a visible point of failure prevents leakage of informationabout why the functionality has become nonsense.) The techniquesdescribed herein, have this property.

As with encryption, the mapping from original form (plaintext orordinary software, respectively) to encoded form (ciphertext or TRS,respectively) is one-way: it is very much easier to encrypt or cloak,respectively, than to decrypt or de-cloak, respectively, unless thesecret information used in encrypting or cloaking is known.

However, the conversion of software into TRS form is not a form ofencryption.

Encrypted messages are useless without a key. In contrast, TRS issoftware which can do its job perfectly well while remaining in TRSform. This is a significant difference, and means that the applicationsof cryptography and the applications of TRS are orthogonal andcomplementary: each does something that the other cannot.

Data-Flow Encoding

By data-flow, we mean the ‘ordinary computation’ of a program: addition,subtraction, multiplication, division, Boolean computations, maskingoperations, and the like: the scalar data-flow of a program.

There are two primary aspects of data-flow encoding: obscuring thecomputation to hide the data which the computation manipulates, andmaking the computations aggressively fragile under tampering.

The obscuring is achieved by various data encodings. Even very simpleencodings can provide a great deal of protection. Our simples encodingis of the form x′=sx+d, where x is original and x′ is cloaked. That is,at each point in the targeted program where the variable x appears, itis replaced with its encoding. When this is done for a large number, orall, of the variables in the targeted program, the resulting code willbear little resemblance to the original code.

An attacker may be able to deduce how unprotected software code operatesbecause variables are generally defined with respect to “real-world”concepts and measures, and the equations will often look familiar.However, when the same program is protected by data-flow encoding, thevariables will lose their “real-world” appearance, as will theequations. Thus, an attacker will not be able to obtain any usefulinformation from a simple review and analysis of the encoded program.

Many other data-flow encodings may also be made. To perform a cloakedaddition of constant c to variable x for example, we simply interpretthe value of x′ according to x′=s (x−c)+d (i.e., according to x′=sx+kwhere k=d−cs) instead of according to x′=sx+d.

Note that the formula must subtract c. Since x′ has not changed, the newformula makes x appear to be larger, which is what we want. If we to addc instead, we are actually representing the subtraction of c from x.

To add a variable instead of a constant, we need actual code, but thetransform space for addition using a 64-bit implementation is over 100bits; a brute-force attack on a space of this size is plainly feasible(a brute-force attack is one in which all possible combinations of datavalues are checked until the correct one has been discovered). Themappings we use in practice vary from the simple transformations above,to complex multidimensional transforms combining multiple mathematicaldomains. This approach is highly effective for obscuring the data-flow.

The other aspect of data-flow cloaking for TRS is to induce aggressivefragility under tampering. This is achieved by generating code accordingto the following policies: 1. every computation depends on as manyothers as possible. This may be done simply by creating new variableswhich are defined as a combination of original variables; 2. theinterdependencies are complex, so that, with high probability, anarbitrary change causes invalid computation to occur; 3. execution is‘fake robust’: invalidities do not cause failure; execution simplycontinues in the form of nonsense computation. If, for example, an arrayA is known to have 100 elements, then converting the expression A [i] tothe expression A [i mod 100] makes it fake-robust in that variable i maytake on any value and not cause an array bounds error. However, certainvalues of variable i may cause nonsensical operation elsewhere in theprogram without causing a complete failure; and 4. any directed changeto behaviour (i.e., any change whose result is not nonsense computation)requires that several changes, related in obscure and complex ways, beperformed absolutely perfectly.

Further information on this subject is available in the co-pendingpatent application titled: Tamper Resistant Software Encoding, filedunder the Patent Cooperation Treaty on Jun. 8, 2000, under Ser. No.PCT/CA00/00678, by Stanley Chow, Harold Johnson, and Yuan Gu.

Control-Flow Encoding

The control-flow of a program refers to the decision points and branchinstructions that govern which lines of code in the program are to beexecuted. In broad terms, control-flow encoding increasestamper-resistance by adding fake-robust, data-driven, control transfersto the software code. If a large number of control transfers are addedto the software code, it will be extremely difficult for the attacker toidentify the specific line of control that he wishes to analyze ormodify.

Generally, control-flow encoding ensures that what was one controltransfer, has been instantiated in multiple parts of the code, and thatcontrol transfers from different parts of the code are often merged intoone. As the added control transfers are fake-robust, the erroneouslymodified program will appear to continue executing properly, while infact it is not. Since control is exercised using a complex data-drivenscheme, any attempt to modify a single control transfer will almostcertainly affect others (this is described as the “anti-hologram”property), especially where multiple control transfers are oftencombined into one (the “togetherness” property), as they are in thisinvention.

As well, if the attacker makes a number of modifications, by the timethe erroneous operation is discovered, it will not be possible to tellwhich of the modifications caused the erroneous operation.

The general implementation of control-flow encoding is presented as aflow chart in FIG. 3. First, at step 50, the operations in the targetedcode, preferably in SSA (single-static assignment) or similarintermediate form, are re-sorted without changing the semantics of theprogram. When the code is in an intermediate form, the interdependenciesof the intermediate statements are clear and the bounds on whatre-sorting could be performed may be easily determined. Theunderstanding of these interdependencies is what allows multi-threadingand optimization techniques as known in the art. SSA is a very commonlyused intermediate form.

In the case of the invention, these instructions can be re-sorted sothat a direct decompiling into high level language yields obscureresults. However, an enormously greater benefit is realized with thesynergy between re-sorting of the code and the creation of “fake-robust”targets at step 54. A fake-robust target is one which will appear tooperate correctly when it is modified, but in fact, results innonsensical operation.

The strategies and limitations for re-sorting the code instructions willvary between applications, and with the type of intermediate code thatis used. These restrictions would be clear to one skilled in the art.

At step 52, the re-sorted code is copied into multiple differentsegments. For example, in a contiguous sequence of ten successiveinstructions, six distinct segments of five contiguous instructionseach, may be identified (namely, the pieces comprising instructions 1 to5,2 to 6,3 to 7,4 to 8,5 to 9, or 6 to 10 of the original sequence often instructions). Of course, many more distinct segments may beselected from the sequence of ten instructions by choosing segments ofdifferent lengths. Some of the selections will consist of segments orsequences of segments that will correctly mirror the functionality ofthe original program.

At step 54, new control transfer instructions are added to makereference to the new code segments created at step 52. These referenceswill generally be fake robust as they refer to the segments of theoriginal code that were slightly modified at step 52, but will not beperfectly fake robust unless measures are taken to ensure they will notfail. Fault-resistant programming techniques are known in the art andcould be implemented as desired or required.

The targeted code is now protected by control-flow encoding.

Additional details on control-flow encoding may be found in theco-pending patent application titled: Tamper ResistantSoftware-Control-flow Encoding, filed under the Patent Co-operationTreaty on Aug. 18, 2000, under Ser. No.

PCT/CA00/00943; inventors: Stanley Chow, Harold Johnson, and Yuan Gu.

When applied extensively, control-flow encoded software is cloaked sothat: 1. each original operation is represented, variously cloaked, atmultiple cloaked sites; 2. a single cloaked site also representsmultiple original sites; 3. there is no difference between ‘decoy’ and‘significant’ computation; 4. cloaked routines do not preserve theboundaries of the original routines; 5. execution paths include apseudo-random component: any change in input data causes pervasivechanges to branch patterns; 6. both data-and control-flow are made fakerobust: the tampering does not cause failure (traps, core dumps, errormessages, or the like); it simply causes execution to continue in anonsense fashion; and 7. all aspects of control-flow are subjected toall aspects of data-flow cloaking.

This protects the control-flow of the targeted software from standardattacks as follows: 1. Branch jamming will not work because: a. nospecific branch can be found to jam, b. jammed branches subvert theoperation of the data-flow functions, producing nonsensical data-flow;and c. multiple sites require jamming, with sizable changes to theirdata-flow, to achieve the effect of a single branch jamming in theoriginal program; and 2. simplification of the control-flow encodedsoftware is extremely difficult because: a. due to various data-flowcloaking, distinct sites which share ‘original’ functionality have quitedifferent code; b. data-flow coding mixes dependencies and hence,entropy among functionalities at each site, and the mixing must be fullyunderstood before simplification is possible; c. simplification requiresremoval of the pseudo-random component from branches, but it appearsindistinguishable from the normal components; d. simplification requiresunraveling of both the branching and the data flow together; and e.almost any perturbation-based analysis on control-flow, in effect,involves branch jamming, and will fail as branch jamming will fail.

Mass Data Encoding

To convert large data structures into TRS form (arrays, linkedstructures, file buffers, and the like), we cloak them so that: 1. theinformation in the large data structures, and the addresses at whichthey are stored, are meaningless without the accessing code. The cloakeddata structures themselves have no meaning for the data; and 2.uncloaked information appears nowhere; all aspects of such data alwaysappear in cloaked form.

Our approach is general, and covers file input and output (I/O) as wellas in-memory data structures, dynamic data structures, and aliasing.

Mass data encoding relies on the random or pseudo-random dispersion ofdata being stored, throughout the available memory or an area of theavailable memory.

This dispersion makes it very difficult for an attacker to locatecertain pieces of data he is searching for, and also distributes thedata values with respect to one another.

Thus, data are not stored in areas of the memory one might expect themto be, and there are no clearly identifiable blocks or patterns of datain the memory.

A simple technique for performing mass data encoding is to respond to arequest to store a data value at a virtual address, by mapping thatvirtual address onto a randomly selected actual address. This mappingmay be done in a truly random manner, but will generally be done in apseudo-random manner, because of the difficulties in generating trulyrandom numbers in pure software. A desirable technique for generatingpseudo-random address is by use of a hash function, which generates whatappears to be a random number from a given input. In the formal sense,the definition of a hash function is somewhat more restrictive, but itis clear in this case that any function may be employed which maps agiven input onto a random or pseudo-random output.

Each time the encoded software routine is executed, it would access thestored datatransparently because the pseudo-random mapping is built intothe encoded program. This could allow a patient attacker to monitor allmemory lookups and generate a mapping table, however, if the softwareroutine was also protected using data and control-flow encoding, itwould virtually impossible to do so.

By storing data in a dispersed manner through the available memoryspace, it is impossible for an attacker to obtain anything meaningfulfrom analyzing the stored memory. In the prior art, data is stored insuccessive or adjacent memory locations, but in the case of theinvention, the memory-wise spacial relationship has been removed, andthe data is now dispersed in a pseudo-random manner.

As noted above, this dispersion makes it difficult for an attacker tolocate certain pieces of data he is searching for, but also distributesthe data values with respect to one another. Thus, data are not storedin areas of the memory one might expect them to be, and there are noclearly identifiable blocks or patterns of data in the memory.

For example, one avenue of attacking an encrypted memory is to searchfor repetitious patterns. In a text document which is encrypted with asingle key, a given word will appear as the same encrypted data, eachtime it occurs in the original document. Thus, the attacker can identifya block of encrypted code which appears to be repeated often in thememory and assume that it corresponds to a commonly used word. Theattacker would start by identifying the statistically most common words,calculating a corresponding key, and determining whether the rest of theencoding makes sense in terms of that key. In English, candidates for ashort encoding might include, for example: “the”, “is”, or “if”.

With mass data encoding, each of the letters in these short words couldbe stored in dispersed locations in the memory. Thus, when the word“the” is stored, the codes corresponding to these three letters will notappear together, but be randomly dispersed throughout the memory. Thereis therefore no repetition of a code pattern in the mass data storage,for an attacker to exploit.

The following mass data encoding techniques may also be used tocomplement the main invention. These additional techniques may beapplied collectively, or independently to obtain varying degrees ofsecurity: 1. using different hashes for different data addresses, makingit more difficult for the attacker to correlate different codings; 2.varying the hashes and encryption keys while the target program isrunning, so that an attacker obtains no benefit from decoding only apart of the routine, at some point in time; 3. encrypting the data beingstored; and 4. using data-flow encoding of the address and data beforeeven beginning the mass data encoding. In this way, the data andaddresses are encoded at all times and unprotected data is neverexposed.

Additional details on mass data encoding appear in: Tamper ResistantSoftware-Mass Data Encoding, filed under the Patent Co-operation Treatyon Apr. 12, 2001, under Ser. No. PCT/CA01/00493); inventors: StanleyChow, Harold Johnson, and Yuan Gu.

White-Box Encoding

White-box encoding concerns cryptographic computation which can beobserved in complete detail without revealing internal data such as asecret key.

Most security software is designed under the assumption that thesoftware will be applied in a secure environment, that is, in ablack-box model. This is generally unrealistic, and as a result, mostsecurity software cannot withstand a concerted attack. The “white-box”encoding model assumes that an attacker will have complete access to thetargeted software, and thus, the algorithm itself must be protectedagainst analysis and modification.

The white-box techniques of the invention provide ways to make findingan embedded cryptographic key or other hidden informationcombinatorially difficult for the attacker, even under this severethreat model. Such methods are inherently bulkier and slower thansoftware designed under a black-box model, but in digital markextraction applications, the tradeoff is well worthwhile.

In broad terms, white-box encoding is implemented by as shown in theflow chart of FIG. 4. Firstly, functions and transforms substantive tothe targeted software program are identified at step 70. Next, newfunctions and transforms which alter the processing activity visible tothe attacker are generated at step 72. The identified functions andtransforms are then replaced with the new functions and transforms inthe software program at step 74.

A large number of different techniques may be used to encode thefunctions and transforms identified at step 70. These techniques may begrouped generally as follows 1. making transforms non-linear, so theycannot be reduced by an attacker; 2. making processing activitydisappear, by generating new transforms that eliminate data (such asconstants) and processing steps (such as combining two transformstogether into one); 3. generating new, spurious, processing activity, byconcatenating random transforms to real ones, and performing input andoutput encodings that introduce processing activity completely unrelatedto the original data; and 4. encoding and widely diffusing sites ofinformation transfer and/or combination and/or loss.

For example, a linear transform can be replaced with a simple lookuptable. If unused portions of the lookup table are filled with randomdata, then the lookup table becomes non-linear and irreducible.

Lookup tables can also be partitioned so that they are accessed byconcatenated input variables; that is, the table is indexed by thevalues of two variables, concatenated together. This has the effect ofreplacing two variables with a single variable having a lookup tablewhich will generally be non-linear. If a lookup table is generated for atransform concatenated with a random transform, then the lookup tablewill almost certainly be non-linear and irreducible.

Hence, the invention can be employed to protect any manner of softwarefrom being analyzed, reversed-engineered, or simply observed to discoversecure data such as secret keys. Secret keys can then be incorporatedinto software programs without the danger of the secret key beingdisclosed, or the program being altered to do anything other than whatit was originally intended to do. As noted above, many digital markingalgorithms employ secret keys to the extent that they contain secretdata which defines the pattern of memory locations for the digital markdata, the parameters of any encoding, and the content of the digitalmark itself.

More details on these and other white-box encoding techniques aredescribed in the co-pending patent application titled System and Methodfor Protecting Computer Software from a White Box Attack, filed underthe Patent Co-operation Treaty on Dec. 10, 2001, under Ser. No.PCT/CA01/01729; inventors: Stanley Chow, Harold Johnson, and Philip A.Eisen.

An Exemplary Application of TRS Techniques to Digital Media Systems Anexemplary implementation of the invention is presented in the flow chartof FIG. 5. In this embodiment, an audio or video digital media file isintegrated with a media player and protected from tampering, so it isnow in a form that it can be distributed (for example) on CD Roms, orposted on Web sites so that users can download these files either topersonal computers (PC), personal digital assistants (PDA) or portablemedia players.

PCs have far more computing power than PDAs or portable media players,thus, files being executed on PC platforms can employ TRS encodingtechniques that make the executable code more resource intensive to run.It is necessary, after all, for the media player to present content inreal-time. However, as PDAs and portable media players become morepowerful, it will be possible for them to use the moreresource-intensive TRS techniques.

The process begins at step 90 where the media player is integrated withthe media content. This step may also include the compilation of themedia player from a high level language such as C code, into machinereadable code.

The protective measures of the media player are now effected, whichpreferably takes the form of applying a digital mark to the mediacontent at step 92.

These are many digital marking techniques known in the art which wouldbe effective when applied with the balance of this routine.

Data-flow encoding is now applied to the integrated media player/mediacontent, which now contains a digital mark, at step 94. As noted above,data-flow encoding protects the scalar data-flow and the ordinarycomputations of a program.

Different media players, digital marking techniques and media contentmay be suited to different forms of TRS encoding, but in general,data-flow encoding would be used to encode the scalar computations andordinary computations used in playing the media content.

Using data-flow encoding, the digital mark will never be identifiable toan attacker observing the regular operation of the encoded program. Moreimportant, an attacker will not be able to identify the leastsignificant data bits of the content, where the digital mark is usuallyhidden.

Next, control-flow encoding is used to encode the behaviour of the mediaplayer at step 96. As noted above, control-flow encoding protects thecontrol logic, branch, and subroutine structure of the program. Forexample, control-flow encoding could be used to effect random access tothe media content and the sequential access to pieces of the content;thus, if the control-flow were disturbed, chronological segments of thecontent would be scrambled.

Control-flow encoding could also be used to enforce desired behaviourssuch as those related to billing. Electronic commerce systemsnecessarily have critical decision branches which determine whether aparticular access attempt should be considered a pass or a fail (forexample, whether a user's password is acceptable, whether a user hassufficient funds in his account, whether a copy has already been made,etc.). If the attacker can locate this decision branch he could changeit to approve all access attempts. Thus, this critical decision branchshould be protected with control-flow encoding.

At step 98, mass-data encoding is then applied to the media contentitself. As noted above, mass-data encoding protects mass-memorycontents, that is, the contents of data structures, whether records,arrays, or pointer-linked, and the contents of external data structuressuch as the contents of files, messages, message pipes or other datastreams, and the like. Mass-data encoding would protect the mediacontent, so that it would be indecipherable without first cracking thedata-flow and control-flow encodings. If the target device hassufficient resources, the mass data could also be encrypted using amanner of encryption known in the art (such as DES, AES, or some suchsymmetric key encipherment).

White-box cryptography is then applied to the program at step 100. Asnoted above, white-box cryptography protects cryptographic computationsso that they can be performed without revealing their keys. In thisparticular application, white-box cryptography would be used to provideinput-output mazes to ensure that the TRS could not be cracked inlayers. Using the convention that, for any x, x′ is its ordinary TRSversion, and x″ (where appropriate) is its white-box cryptographicversion.

In the preferred embodiment, the following input and output schemes areused: input′=W2″ (W,″ (Input)) for importing an ordinary value Inputsecurely into the TRS world as Input′, and Output=W4″ (W3″ (Output)) forexporting a TRS-encoded value Output′ securely to the non-TRS world asOutput, where W, and W3 are encryption functions, W2 and W4 aredecryption functions, W2=WI-1, and W4=W3-1. For the sake of security,the size of Input or Output should be at least 64 bits, and preferablylarger.

An alternative embodiment-a generalization of the method above-uses:Input′=D (D,′ (Input)) for importing an ordinary value Input into theTRS world as Input′, and Output=D4′ (D3′ (Output′)) for exporting aTRS-encoded value Output′ to the non-TRS world as Output, where D1, D2,D3,D4 are arbitrary complicated functions, D1′, D2′, D3′, D4′ are theirconversion to TRS using some combination of one or more of thedata-flow, control-flow, and mass data encodings, with D2=D1-1 andD4=D3-′.

As well, if the media player had certain functions as part of itsoperation, such as generating a strong password in response to an accessattempt, then the function being used to generate the strong passwordcould be protected with white-box encoding.

All of the above kinds of TRS encoding are relevant to the conversion ofordinary digital content into active content, and all are relevant tothe security of such content whereby we justify calling the employmentof such active content in appropriate media ‘secure digital media’.Having access to the full armamentarium of encoding techniques asdescribed above (data-flow, control-flow, mass-data and white-boxencoding), permits us to cover a correspondingly wide spectrum ofalgorithms.

The content is now merged with the media player, and protected by itsdigital marking mechanism. This integrated program may now be madeavailable to the public, either by being distributed on a CD Rom, or byposting it on a Web site so that it can be downloaded, at step 102.

As noted above, TRS will execute in the same way that any otherexecutable code will execute. The executable code will be protected bythe means effected at step 92, which cannot be undone by an attacker.

Advantages of TRS Over Alternative Embodiments

If we attempt to bundle together the executable protective code and thecontent, but we do not employ TRS, then we face the followingdifficulties: 1. indelible marking of ordinary or obfuscated softwareremains an unsolved problem. The extreme malleability of ordinarysoftware, and the vulnerability of even obfuscated software to tamperingattacks, makes it unlikely that it will be solved soon (if ever); 2. anysecurity measures in the code and the data are revealed to a cleverattacker, thereby vitiating such measures. While obfuscation of thesoftware provides partial protection, obfuscated software remains highlysusceptible to perturbation analysis, and other dynamic tracing attacks;3. if ordinary software, or obfuscated software, rather than TRS, isused, the executable protection and the data content are easilyseparable. As soon as an attacker bypasses the security measures, theentire digital content is available to the attacker; and 4. thebehaviour of ordinary software or obfuscated software is easilymodifiable.

Therefore, any desired behaviours on the part of the user (such as thoserelated to payment) cannot be enforced securely.

In contrast, if TRS is used, rather than ordinary software or obfuscatedsoftware: 1. given means to create TRS, indelible digitally marking canbe achieved by the following mechanism: to mark a program P, instead ofsimply producing a TRS version, P′, of the program P, we replace it withthe TRS version Q′ of the program Q, where Q is the program defined bythe following pseudo-code: function Q(X): if X=K then return M elsereturn P(X) where K is a special input, with a vanishingly smalllikelihood of being encountered in normal use (the key), and M is thedigital mark to be embedded in the program and revealed by use of thekey. Given any input but K, Q′ behaves exactly as P or P′ would behave.Given the input K, Q′ emits the digital mark, M.

The important point is that TRS is a form of software which enablesindelible digital marks, and as such, is a highly desirable form for theprotection of content, which badly needs such legally viable protectionin addition to other forms of protection; 2. any security measures inthe code are concealed by the use of TRS; 3. using mass data encodings,the data portion is meaningless without the rest of the executablecode-penetrating the data encoding is not possible withoutsimultaneously penetrating the encoding of the executable code whichaccesses the data. Therefore, the attacker cannot separate theexecutable protection and the data content, and the attacker cannot gaindirect access to the digital content; and 4. the behaviour of a TRS-formprogram is prohibitively difficult to modify without reducing theprogram to nonsense. Therefore the attacker cannot retain the usabilityof the content while simultaneously eliminating enforcement ofbehaviours (such as those related to payment).

Other Options and Applications

The invention can be applied with many other options and in many otherapplications, including the following: 1. an alternative methodology isto download player/content packages from a server to an end user (on apersonal computer, for example), which are not watermarked orTRS-protected, but which execute on the end user's machine to becomewatermarked and TRS-protected (a “media batch file” of a sort).

In other words, the end user downloads a single executable file. Whenthe end user executes this file, it applies a watermark to the contentit was sent with, and then the new watermarked file is TRS-encoded withthe player (which was also part of the original downloaded file). Thisprocess defers all of the CPU intensive processing to the end user'spersonal computer, rather than having it performed on the server

The result of this execution on the client side may be an executablefile, but does not have to be; for example, it may simply create awatermarked image; 2. protecting the digital content by encrypting it.The keys to undo the encryption may be stored in the TRS-encoded Player,where they would be safe from an attacker. This could be done by meansof “partial evaluation”: taking the fixed data values from the key andinserting them into the equations of the media player. When thedata-flow encoding is performed, the original data values from the keyare combined with other data values and “disappear” 3. the portabilityof the executable code can be severely limited by the judiciousselection of the player itself. If the player can only operate on asingle platform, then once in the TRS-encoded form, it will beimpossible for attackers to move it elsewhere. The executableTRS-encoded software will be bonded to that particular platform.Similarly, the play back parameters of the player could also be fixedand TRS-encoded, further limiting the portability of the code; and 4.for use in connection with computing environments having very limitedhardware resources (such as PDAs), this approach requirescross-generation of the TRS. That is, the TRS encoding must be performedon a platform with significant hardware resources, after which it can bedownloaded to a resource weak platform such as a PDA.

While particular embodiments of the present invention have been shownand described, it is clear that changes and modifications may be made tosuch embodiments without departing from the true scope and spirit of theinvention.

It is understood that as de-compiling and debugging tools become moreand more powerful, the degree to which the techniques of the inventionmust be applied to ensure effective tamper protection, will also rise.As well, the concern for system resources may also be reduced over timeas the cost and speed of computer execution and memory storage capacitycontinue to improve.

These improvements in system resources will also increase the attacker'sability to overcome the simpler tamper-resistance techniques included inthe scope of the claims. It is understood, therefore, that the utilityof some of the simpler encoding techniques that fall within the scope ofthe claims, may correspondingly decrease over time. That is, just as inthe world of cryptography, increasing key-lengths become necessary overtime in order to provide a given level of protection, so in the world ofthe instant invention, increasing complexity of encoding will becomenecessary to achieve a given level of protection.

The method steps of the invention may be embodiment in sets ofexecutable machine code stored in a variety of formats such as objectcode or source code. Such code is described generically herein asprogramming code, or a computer program for simplification. Clearly, theexecutable machine code may be integrated with the code of otherprograms, implemented as subroutines, by external program calls or byother techniques as known in the art.

The embodiments of the invention may be executed by a computer processoror similar device programmed in the manner of method steps, or may beexecuted by an electronic system which is provided with means forexecuting these steps.

Similarly, an electronic memory means such computer diskettes, CD-Roms,Random Access Memory (RAM), Read Only Memory (ROM) or similar computersoftware storage media known in the art, may store code to execute suchmethod steps. As well, electronic signals representing these methodsteps may also be transmitted via a communication network.

1. A method of protecting digital audio and/or visual and/or informationcontent in integral combination with means for playing the content, forsecure handling and distribution of the content, the method comprisingthe steps of: (a) providing an executable program configured for playingthe digital content to one or more media output devices and includingusage controls for providing protection to the digital content bycontrolling usage of the digital content; (b) embodying the digitalcontent within the provided executable program by forming acontent-distributing program, with embodied digital content, and withthe provided executable program; and encoding the content-distributingprogram into a tamper-resistant content-distributing program, saidencoding including generating software which obscures thecontent-distributing program and generating software which is chaoticupon modification to prevent direct theft of the content from thetamper-resistant content-distributing program and render the tamperresistant content-distributing program resistant to removal of the usagecontrols, such that the tamper-resistant content-distributing program isin form for distribution and execution by computer processing means forplaying the digital content to one or more media output devices.
 2. Themethod of claim 1, wherein the step of embodying comprises embodying thedigital content within the executable program's data.
 3. The method ofclaim 1, wherein said step of encoding the content-distributing programinto a tamper-resistant content-distributing program comprises data-flowencoding.
 4. The method of claim 1, wherein said step of encodingincludes generating the tamper-resistant content-distributing programfor distribution as a media batch file suitable for transport on acommodity high-volume, highly portable media format, the media batchfile being executable for playing the digital content to one or moremedia output devices and thereby restricting resource-intensivesignal-processing required for the playing of the digital content untilthe content is played for consumption by one or more consumers of thecontent.
 5. The method of claim 1 further comprising: generating aplurality of disparate instances of said digital audio and/or visualand/or information content; successively protecting each of theplurality of instances of content in integral combination with arandomly selected part of the means for playing, with different parts ofthe means for playing being combined with disparate content instances ofthe plurality of disparate content instances and all parts of the meansfor playing being combined with the plurality of disparate contentinstances, such that an attacker is presented with randomly differentlyconstructed content-distributed programs for successive contentinstances.
 6. The method of claim 5 performed at least in part by acompiler for automated production of the content-distributing programs.7. An electronic device executing a compiler configured to perform themethod of claim
 5. 8. A computer-readable memory medium storing acompiler configured to perform the method of claim
 5. 9. The method ofclaim 1 performed at least in part by a compiler for automatedproduction of the content-distributing program.
 10. An electronic deviceexecuting a compiler configured to perform the method of claim
 1. 11. Acomputer-readable memory medium storing a compiler configured to performthe method of claim
 1. 12. The method of claim 1, wherein the step ofembodying comprises embodying the digital content within an input streamto the executable program concealed by a form of encoding.
 13. Themethod of claim 1, wherein said step of encoding thecontent-distributing program into a tamper-resistantcontent-distributing program comprises mass-data encoding.
 14. Themethod of claim 1, wherein said step of encoding thecontent-distributing program into a tamper-resistantcontent-distributing program comprises encryption with a correspondingwhite-box decryption performed at a latest possible step.
 15. The methodof claim 1, wherein said step of encoding the content-distributingprogram into a tamper-resistant content-distributing program comprisescreating a watermark image and applying the watermark image to theexecutable program of the content-distributing program.